From 6a5b086d10922df6cd11bbad36b7cae2f2377f07 Mon Sep 17 00:00:00 2001 From: azyrite Date: Sat, 8 Mar 2025 21:44:17 +1100 Subject: [PATCH] feat!: copy config into container It is no longer recommended to mount /etc/searxng to a directory for configuration files. Instead, only mount /etc/searxng/auth for the tokens.txt file --- Dockerfile | 11 ++- config/limiter.toml | 17 +++++ config/settings.yml | 174 ++++++++++++++++++++++++++++++++++++++++++++ src/auth/auth.py | 2 +- 4 files changed, 200 insertions(+), 4 deletions(-) create mode 100644 config/limiter.toml create mode 100644 config/settings.yml diff --git a/Dockerfile b/Dockerfile index 5457c08..f202aae 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,15 +45,15 @@ RUN addgroup -g ${GID} searxng \ && chown -R searxng:searxng . \ && su searxng -c "/usr/bin/python3 -m searx.version freeze" -# copy run.sh -COPY ./src/run.sh /usr/local/bin/run.sh - # include patches for authorized api access COPY ./src/auth/auth.py searx/auth.py RUN sed -i -e "/if output_format not in settings\\['search'\\]\\['formats'\\]:/a\\ from searx.auth import valid_api_key\\n if (not valid_api_key(request)):" -e 's|flask.abort(403)| flask.abort(403)|' /usr/local/searxng/searx/webapp.py \ && sed -i "/return Response('', mimetype='text\/css')/a \\\\n@app.route('//search', methods=['GET', 'POST'])\\ndef search_key(key=None):\\n from searx.auth import auth_search_key\\n return auth_search_key(request, key)" /usr/local/searxng/searx/webapp.py \ && sed -i "/3\. If the IP is not in either list, the request is not blocked\./a\\ from searx.auth import valid_api_key\\n if (valid_api_key(request)):\\n return None" searx/limiter.py +# copy run.sh +COPY ./src/run.sh /usr/local/bin/run.sh + # make run.sh executable, copy uwsgi server ini, set default settings, precompile static theme files RUN cp -r -v dockerfiles/uwsgi.ini /etc/uwsgi/; \ chmod +x /usr/local/bin/run.sh; \ @@ -61,6 +61,11 @@ su searxng -c "/usr/bin/python3 -m compileall -q searx"; \ find /usr/local/searxng/searx/static -a \( -name '*.html' -o -name '*.css' -o -name '*.js' -o -name '*.svg' -o -name '*.ttf' -o -name '*.eot' \) \ -type f -exec gzip -9 -k {} \+ -exec brotli --best {} \+ +# copy searxng settings +COPY ./config/settings.yml /etc/searxng/settings.yml +# copy limiter settings +COPY ./config/limiter.toml /etc/searxng/limiter.toml + # expose port and set tini as CMD; default user is searxng USER searxng EXPOSE 8080 diff --git a/config/limiter.toml b/config/limiter.toml new file mode 100644 index 0000000..91f0d74 --- /dev/null +++ b/config/limiter.toml @@ -0,0 +1,17 @@ +[real_ip] +x_for = 2 + +# bans on ipv6 apply to the whole /40 block +# households typically get /32 to /64 so this is a good compromise +ipv6_prefix = 40 + +[botdetection.ip_lists] +pass_ip = [ + '51.159.53.89/32', # Allow https://cryptcheck.fr + '2001:bc8:1200:4:208:a2ff:fe0c:67ea/64' # Allow https://cryptcheck.fr +] + +pass_searxng_org = true + +[botdetection.ip_limit] +link_token = true diff --git a/config/settings.yml b/config/settings.yml new file mode 100644 index 0000000..351211f --- /dev/null +++ b/config/settings.yml @@ -0,0 +1,174 @@ +general: + debug: false + instance_name: "Astrial Search", + privacypolicy_url: "https://astrial.org/privacy" + donation_url: false + contact_url: "https://astrial.org" + enable_metrics: true + +brand: + new_issue_url: https://github.com/searxng/searxng/issues/new + docs_url: https://docs.searxng.org/ + public_instances: https://searx.space + wiki_url: https://github.com/searxng/searxng/wiki + issue_url: https://github.com/searxng/searxng/issues + +search: + # 0: none, 1: moderate, 2: strict + safe_search: 0 + autocomplete: "" + favicon_resolver: "" + default_lang: "auto" + ban_time_on_fail: 5 # seconds + max_ban_timeon_fail: 60 # seconds + suspended_times: + # Engine suspension time after error (in seconds; set to 0 to disable) + # For error "Access denied" and "HTTP error [402, 403]" + SearxEngineAccessDenied: 86400 + # For error "CAPTCHA" + SearxEngineCaptcha: 86400 + # For error "Too many request" and "HTTP error 429" + SearxEngineTooManyRequests: 3600 + # Cloudflare CAPTCHA + cf_SearxEngineCaptcha: 1296000 + cf_SearxEngineAccessDenied: 86400 + # ReCAPTCHA + recaptcha_SearxEngineCaptcha: 604800 + + # [html, csv, json, rss] + formats: + - html + - json + +server: + port: 8080 + bind_address: "0.0.0.0" + base_url: "https://search.astrial.org/" + limiter: true + public_instance: true + secret_key: '' # overwritten by ${SEARXNG_SECRET_KEY} + image_proxy: true + # 1.0 or 1.1 + http_protocol_version: "1.1" + method: "POST" + default_http_headers: + X-Content-Type-Options: nosniff + X-Download-Options: noopen + X-Robots-Tag: noindex, nofollow + Referrer-Policy: no-referrer + +redis: + url: '' # overwritten by ${SEARXNG_REDIS_URL} + +ui: + static_path: '' + # cache busting + static_use_hash: true + templates_path: '' + query_in_title: false + infinite_scroll: false + default_theme: "simple" + center_alignment: false + default_locale: "" + theme_args: + simple_style: auto + search_on_category_select: true + # default, vim + hotkeys: default + # pretty, full, host + url_formatting: pretty + +# lock settings on preference page +preferences: + lock: [autocomplete] + +outgoing: + request_timeout: 3 # seconds + useragent_suffix: "+webmaster [at] astrial [dot] org" + # max concurrent connections + pool_connections: 100 + # max keepalive connections + pool_maxsize: 20 + enable_http2: true + +categories_as_tabs: + general: + images: + videos: + news: + map: + music: + it: + science: + files: + social media: + +### Engines ### +engines: + - name: wikipedia + engine: wikipedia + shortcut: wiki + display_type: [infobox, list] + categories: [general] + + - name: wikinews + engine: mediawiki + shortcut: wikin + categories: [news] + base_url: "https://{language}.wikinews.org/" + search_type: text + srsort: create_timestamp_desc + about: + website: "https://www.wikinews.org/" + wikidata_id: Q964 + + - name: wiktionary + engine: mediawiki + shortcut: wikit + categories: [dictionaries, wikimedia] + base_url: "https://{language}.wiktionary.org/" + search_type: text + about: + website: https://www.wiktionary.org/ + wikidata_id: Q151 + + - name: bing + engine: bing + shortcut: b + + - name: bing images + engine: bing_images + shortcut: bii + + - name: bing news + engine: bing_news + shortcut: bin + + - name: bing videos + engine: bing_videos + shortcut: biv + + - name: google + engine: google + shortcut: g + + - name: google images + engine: google_images + shortcut: goi + + - name: google news + engine: google_news + shortcut: gon + + - name: google scholar + engine: google_scholar + shortcut: gos + + - name: youtube + engine: youtube_noapi + shortcut: yt + + # Art Institute of Chicago + - name: artic + engine: artic + shortcut: arc diff --git a/src/auth/auth.py b/src/auth/auth.py index 848674e..4f5085d 100644 --- a/src/auth/auth.py +++ b/src/auth/auth.py @@ -13,7 +13,7 @@ def get_tokens(): global valid_tokens_set if valid_tokens_set is None: try: - with open("/etc/searxng/auth_tokens.txt") as file: + with open("/etc/searxng/auth/tokens.txt") as file: valid_tokens_set = {line.strip() for line in file} except Exception: valid_tokens_set = set()